Helge Hafting wrote: >> please do you have any idea whether is safe to use blindly ssconvert or >> gnumeric >> in the sense that attacker can't write eg some excel macro-virus which >> would >> get executed via ssconvert or gnumeric? >> > I don't know if ssconvert supports excel macros well enough to run a virus. > I though macro viruses generally abused a visual basic interface that > doesn't even exist on linux. > > But there is a very simple solution, if safety is the reason to not include > my patch: > > I can change it so it only support gnumeric files, not excel files. > ssconvert can convert oocalc, excel and gnumeric. But LyX can stick with > the .gnumeric extension in order to be safe. I don't think gnumeric has > such vulnerabilities designed into it. > > Would that be interesting?
i'm all for having support of gnumeric/excel/oofice. but we are talking about delicate issue - before adding ssconvert we should be pretty confident that it only produces .tex files without running any additional code/script in the source files. (question on gnumeric devs?) apart from that the original patch was pretty clear, so i dont see any other hindrances. pavel
